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Abstract 

It  is  well-recognized  that  for  large  catastrophes  such  as  tornadoes, 
earthquakes,  disease  outbreaks,  or  aftermath  of  a  war,  coalitions 
that  can  coordinate  and  exploit  resources  and  capabilities  of  many 
organizations  are  required  to  respond  effectively.  It  is  our  thesis 
that  in  such  coalition  environments,  classical  security  policies  and 
access-control  mechanisms  need  to  be  augmented  by  incorporat¬ 
ing  the  notion  of  risk  and  trustworthiness  of  the  parties  involved. 
In  this  paper,  we  systematically  analyze  what  trust  is,  highlight 
challenges  in  incorporating  the  notion  of  trust  in  coalition  envi¬ 
ronments,  and  put  forward  a  proposal  to  address  these  challenges. 

1  Introduction 

It  is  well-recognized  that  for  large  catastrophes  such  as  torna¬ 
does,  earthquakes,  disease  outbreaks,  or  aftermath  of  a  war,  re¬ 
sources  and  capabilities  of  many  organizations  need  to  be  coordi¬ 
nated  to  respond  effectively  [1].  In  such  situations,  autonomous 
organizations  form  coalitions  out  of  necessity  and  share  their  re¬ 
sources  and  capabilities  with  others  to  achieve  common  goals  [3]. 
The  member  organizations  in  such  coalitions  can  be  of  all  sizes 
and  capabilities — ranging  from  well-trained  and  well-equipped 
national  forces  to  small  ad  hoc  groups  of  individuals  having  unsur¬ 
passed  knowledge  of  local  geography,  culture,  needs,  etc.  Mem¬ 
bers  join  and  depart  coalitions  based  on  individual  goals,  objec¬ 
tives,  and  capabilities  [1], 

Based  on  past  experiences  with  the  classical  security  policies 
and  access-control  mechanisms,  it  is  clear  that  to  support  coali¬ 
tions  that  can  be  rapidly  created,  modified,  and  dissolved,  these 
mechanisms  need  to  be  augmented  by  incorporating  the  notion  of 
risk  and  trustworthiness  of  the  parties  involved  [7],  Traditionally, 
an  examination  of  the  centrally-issued  credentials  has  been  the 
usual  method  of  certifying  trustworthiness.  However,  such  cre¬ 
dentials  are  assigned  after  a  time  consuming  and  laborious  pro- 
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cess,  and  may  not  be  available  in  a  new  theater  of  operation  or 
when  the  span  of  operations  stretches  across  continents.  Even 
if  the  process  of  getting  centrally-issued  credentials  was  readily 
available,  members  of  a  coalition  may  be  reluctant  to  go  through 
the  process  for  a  variety  of  reasons  (including  privacy,  cost,  and 
perception  of  others).  In  such  situations,  a  workable  model  of 
security  that  does  not  rely  on  centrally  assigned  credentials  can 
enable  a  much  higher  degree  of  operational  tempo. 

There  are  two  factors  that  contribute  to  the  challenges  in  design¬ 
ing  a  workable  trust  management  system  for  the  kind  of  dynamic 
environment  described  above.  First,  when  autonomous  organi¬ 
zations  have  their  own  policies,  risk  postures,  cultures  that  lead 
them  to  evaluate  and  perceive  risk  differently.  Second,  organiza¬ 
tions  may  have  relationship  with  one  another  outside  the  context 
of  a  coalition  that  needs  to  be  taken  into  account.  A  trust  manage¬ 
ment  system  must  provide  flexibility  to  accommodate  these  needs 
and  be  responsive  to  the  dynamic  coalition  environments. 

2  Contributions  of  This  Paper 

This  paper  provides  a  holistic  view  of  trust  in  coalition  environ¬ 
ments  by  going  back  to  the  seminal  works  of  McKnight  and  Cher- 
vany  [9],  and  Hung,  Dennis,  and  Robert  [6],  We  examine  issues 
related  to  trust  in  the  context  of  a  coalition  lifecycle.  We  then  pro¬ 
pose  a  new  trust  model  and  metric,  inspired  by  the  work  of  Reiter 
and  Stubblebine  [12],  for  trust  management  in  coalition  environ¬ 
ments. 

Our  proposal  is  a  departure  from  the  traditional  models  of  trust 
in  a  distributed  network.  The  key  difference  is  that  our  proposal 
does  not  require  the  path  independence  assumption  to  estimate 
risk  inherent  in  a  transaction  as  opposed  to  the  traditional  trust 
models  [8].  We  show  that  our  proposal  can  be  used  to  provide 
several  other  desirable  properties  in  a  trust  management  system  in¬ 
cluding  flexibility  to  accommodate  heterogeneous  coalition  part¬ 
ners. 

3  Trust 

We  start  by  providing  a  brief  summary  of  the  work  by  McKnight 
and  Chervany  [9],  which  contains  a  comparative  study  of  sixty 
research  articles  or  books,  to  provide  an  answer  to  the  question 
“what  is  trust?”  We  follow  this  by  a  short  summary  of  the  work 
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by  Hung,  Dennis,  and  Robert  [6]  to  examine  the  issue  of  trust 
formation. 

3.1  What  is  Trust? 

It  is  generally  agreed  that  trust  is  the  expectation  or  likelihood  of 
an  agent  behaving  in  a  specific  manner  in  a  given  context.  Thus 
a  trust  relationship  involves  three  entities:  truster,  trustee,  and 
trust  context.  Depending  on  the  trust  context,  a  truster  evaluates  a 
trustee  using  subjective  and  objective  criteria.  In  particular,  based 
on  their  extensive  survey,  McKnight  and  Chervany  [9]  list  four 
properties,  benevolence,  honesty,  competence,  and  predictability 
that  a  truster  evaluates  before  trusting  an  agent. 

McKnight  and  Chervany  describe  a  set  of  six  inter-related  trust 
constructs  that  are  factors  in  forming  a  trust  relationship  between 
a  truster  and  a  trustee  in  a  given  context.  The  first  factor  is  situ¬ 
ational  trust  that  describes  the  extent  to  which  one  intends  to  de¬ 
pend  on  a  non-specific  other  party  in  a  given  situation.  This  could 
be  a  situation  in  which  there  is  much  to  be  gained  from  trusting 
but  little  attendant  risk. 

The  second  factor  system  trust  describes  the  extent  to  which  one 
agent  believes  that  proper  impersonal  structures  such  as  regula¬ 
tions,  guarantees,  contracts,  or  normality  of  situation,  are  in  place 
to  enable  trustee  to  anticipate  a  successful  future  endeavor.  Specif¬ 
ically,  in  the  context  of  communication  and  networking  systems, 
this  will  include  trust  placed  in  cryptosystems,  intrusion-detection 
mechanisms,  firewalls,  etc. 

The  third  factor  disposition  trust  is  a  cross-situational,  cross¬ 
personal  construct  that  recognizes  that  agents  will  develop,  over 
the  course  of  their  actions,  generalized  expectations  about  the 
trustworthiness  of  other  agents.  Thus,  by  definition,  dispositional 
trust  is  a  consistent  tendency  to  trust  across  a  broad  spectrum  of 
situations  and  persons.  McKnight  and  Chervany  provide  an  il¬ 
lustrative  example,  where  when  asked  if  he  trusted  his  new  man¬ 
ager,  an  employee  said  that  he  generally  trusts  new  people,  both 
at  work,  or  elsewhere.  We  describe  this  situation  as  the  aforemen¬ 
tioned  employee  having  a  high  degree  of  disposition  trust. 

Last  three  inter-related  trust  factors  are  trusting  belief  trusting 
intention,  and  trusting  behavior.  Trusting  belief  means  the  extent 
to  which  one  agent  believes  (and  feels  confident  in  believing)  that 
the  other  person  is  benevolent,  honest,  competent,  predictable,  etc. 
in  a  given  context1. 

Trusting  intention  means  the  extent  to  which  one  agent  is  will¬ 
ing  to  depend  on  another  agent  in  a  given  context  with  a  feeling 
of  relative  security,  even  though  negative  consequences  are  pos¬ 
sible.  Finally,  trusting  behavior  means  the  extent  to  which  one 
agent  voluntarily  depends  on  another  agent  in  a  given  context  with 
a  feeling  of  relative  security,  even  though  negative  consequences 
are  possible2. 

Trusting  behavior  is  the  final  result  of  interaction  among  all  of 
the  other  trust  constructs.  Trusting  behavior  is  often  described 
quantitatively  by  measurable  indicators ,  referred  to  in  this  paper 

'In  different  contexts,  different  sets  of  properties,  including  those  not  listed 
above,  may  be  important. 

'The  difference  between  trusting  intention  and  trusting  behavior  is  subtle — 
trusting  intention  supports  trusting  behavior,  or  in  other  words,  trusting  intention 
is  an  antecedent  to  trusting  behavior.  While  this  distinction  is  useful  for  and  is 
a  subject  of  psychological  and  sociological  studies,  for  our  purpose,  it  suffices  to 
focus  on  trusting  behavior. 


as  trust  metrics.  The  main  objective  of  a  trust  management  system 
is  to  facilitate  trusting  behavior  and  provide  trust  metrics  that  can 
be  used  in  risk  assessments. 

3.2  How  is  Trust  Formed? 

Based  on  the  dual  process  theories  of  cognition  [11],  Hung,  Den¬ 
nis,  and  Robert  propose  that  trust  behavior  forms  via  three  dis¬ 
tinct  routes  at  different  stages  of  a  trust  relationship:  the  periph¬ 
eral  route,  the  central  route,  and  the  habitual  route  [6],  In  the 
initial  stages  of  a  trust  relationship,  truster  relies  on  peripheral 
cues  (e.g.,  third  party  information,  roles,  categories);  once  there  is 
a  shared  history  between  truster  and  trustee,  they  use  the  central 
route  to  evaluate  properties  such  as  honesty,  competence,  benevo¬ 
lence,  and  predictability  to  form  trust;  finally,  after  a  long  period 
of  shared  history,  truster  develops  a  habitual  pattern  of  trust  and  is 
no  longer  interested  in  actively  evaluating  trust. 

This  discussion  of  trust  brings  out  the  importance  of  hetero¬ 
geneity  in  coalition  environments.  Trusting  behavior  is  agent  spe¬ 
cific  and  it  depends  on  an  agent’s  individual  situation,  disposition, 
beliefs,  and  intentions,  and  its  past  history  and  relationship  with 
the  trustee.  While  in  e-commerce  and  peer-to-peer  file  sharing 
(eBay  and  Gnutella  being  the  canonical  examples,  respectively), 
it  is  reasonable  to  assume  that  most  benevolent  agents  are  homo¬ 
geneous,  that  is  they  largely  have  similar  situation,  disposition, 
beliefs,  and  intentions,  the  same  is  not  true  for  coalition  environ¬ 
ments  where  even  benevolent  agents  differ  considerably.  Thus, 
trust  management  systems  from  the  e-commerce  world  cannot  be 
deployed  talis  qualis. 

4  Trust  in  Coalition  Environments 

In  order  to  determine  requirements  for  managing  trust  in  a  coali¬ 
tion  environment,  it  is  instructive  to  consider  a  model  of  collabo¬ 
ration  lifecycle  in  a  coalition  mission  and  examine  various  aspects 
of  collaboration  relevant  to  forming  trust.  Clark  et  al.  have  pro¬ 
posed  a  model  of  the  collaboration  lifecycle  which  consists  of  the 
following  seven  phases  [4]: 

1.  Identify  mutual  interest  The  first  stage  is  the  identification  of 
the  need  as  well  as  possibility  of  collaboration.  In  a  dynamic  sit¬ 
uation,  even  in  presence  of  need,  a  lack  of  prior  trust  relationship 
may  inhibit  collaboration.  In  such  situations,  a  trust  management 
system  should  provide  a  mechanism  to  establish  initial  trust. 

2.  Establish  operational  requirements  and  benefits  Collabo¬ 
ration  always  involves  an  investment,  if  not  in  resources,  then  in 
time  and  opportunity  cost,  so  it  is  usual  to  consider  operational 
requirements  and  benefits  of  a  collaboration.  For  the  exposition 
in  this  paper,  we  will  assume  that  the  mission  requires  that  coali¬ 
tion  partners  leverage  each  other’s  resources.  Examples  of  these 
resources  include  different  types  of  sensors  and  sensor  platforms, 
personals  with  a  certain  set  of  skills,  etc.  We  will  assume  that  these 
resources  cannot  be  substitutes  for  one  another,  e.g.,  an  acoustic 
sensor  cannot  be  substituted  by  a  vibration  sensor.  We  will  also 
assume  that  it  is  possible  to  quantify  these  resources,  e.g.  five 
acoustic  sensors,  ten  scouts,  etc. 

The  next  two  phases  are  concerned  with  establishing  the  ‘indi¬ 
rect  cost’  of  collaboration. 

3.  Identify  exposed  assets  and  associated  security  impacts  This 
is  the  first  stage  of  a  security  assessment.  It  is  used  to  establish  the 


assets  (or  classes  of  asset)  that  may  be  at  risk,  unwanted  outcomes 
(e.g.  unauthorized  disclosure)  and  the  impact  of  each  unwanted 
outcome  (e.g.  prejudice  operation,  damage  to  the  nation,  cost). 
On  indirect  risk  of  a  collaboration  is  dependency  on  resources 
provided  by  a  coalition  partner.  In  collaborative  activities,  a  risk 
analysis  necessarily  needs  to  take  into  account  the  possibility  that 
a  coalition  partner  may  not  deliver  the  resources  as  agreed  while 
the  mission  planning  stage. 

4.  Establish  possible  threats  and  risk  mitigation  factors  In  a 

conventional  risk  assessment,  the  next  stage  is  to  identify  threat 
paths  and  technical,  management,  or  operational  controls  that  can 
help  mitigate  the  most  significant  risks. 

Trust  plays  a  crucial  role  at  this  stage.  In  particular,  before  a 
trusting  behavior  can  be  established,  partners  would  assess  var¬ 
ious  trust  constructs  as  described  in  the  previous  section.  As¬ 
sessing  these  trust  constructs  would  involve  a  range  of  factors  in¬ 
cluding  the  likelihood  of  attackers  within  the  collaborators  user 
population,  the  quality  of  their  system  implementation,  operation 
and  management,  agreement  to  process  auditing,  electronic  sys¬ 
tem  compliance  monitoring,  tmsted  computing  etc.  In  a  particular 
environment,  the  risk  to  security  may  turn  out  to  be  too  high  to 
be  acceptable,  and  risk  mitigation  measures  may  need  to  be  put  in 
place  before  a  collaboration  can  occur.  Risk  mitigation  measures 
may  include  securing  the  possibility  of  using  a  backup  in  case  a 
coalition  partner  fails  to  contribute  as  planned. 

5.  Agree  the  conduct  of  the  collaboration  A  collaboration  will 
usually  develop  a  formal  or  informal  operational  agreement  with 
an  understanding  that  deviating  from  the  agreed  conduct  may  be 
penalized.  Trust  tokens  can  serve  at  this  stage  as  a  technical  proxy 
for  the  agreed  conduct  of  collaboration — trust  token  may  provide 
assurance  of  a  certain  behavior  and  in  turn,  the  system  may  guar¬ 
antee  that  the  conduct  of  collaborating  parties  would  directly  or 
indirectly  impact  content  of  their  trust  tokens. 

6.  Establish  collaboration  mechanisms  The  next  stage  is  to 
make  the  collaboration  operational.  A  large  part  of  collaboration 
mechanisms  are  concerned  with  joint  access  control  and  usage  of 
resources  which  includes  authentication  and  identity  management 
mechanisms. 

7.  Decommission  the  collaboration  The  final  stage  in  the  life- 
cycle  is  the  decommissioning  of  a  collaboration.  From  the  trust 
management  perspective,  in  this  phase,  history  of  collaboration 
needs  to  be  stored,  and  feedback  needs  to  be  provided,  for  future 
evaluations  of  trust  metrics. 

5  A  Proposal  for  Trust  Management  in  Coalition 
Environments 

The  primary  goal  of  a  trust  management  system  is  to  provide  trust 
metrics ,  a  measurable  indicator  of  trust3  among  agents.  As  dis¬ 
cussed  in  Section  3,  trust  is  formed  on  the  basis  of  a  set  of  inter¬ 
related  trust  constructs.  Among  these  trust  constructs,  situational 
trust,  system  trust,  and  disposition  trust  are  private  properties  of 
the  agent.  We  expect  that  partners  in  a  coalition  will  have  different 
degrees  of  disposition  trust  influenced  by,  and  derived  from,  their 
respective  institutionalized  culture  and  policies  formed  as  a  result 

3  According  to  McNight  and  Chervany  trusting  behavior  is  the  measurable 
quantity.  In  this  section,  we  will  use  the  words  trusting  behavior  and  trust  in¬ 
terchangeably. 


Figure  1 :  Recommendation  and  Consensus  Operators 


of  their  mission  and  past  experiences.  Similarly,  situational  trust 
and  system  trust  will  vary  from  agent  to  agent. 

Among  the  remaining  three  trust  constructs,  trusting  belief  can 
be  considered  as  the  basic  input  to  computing  trust  metrics4.  Re¬ 
call  that  trusting  belief  is  the  extent  to  which  one  agent  believes 
that  another  agent  is  benevolent,  honest,  competent,  predictable, 
etc.  in  a  given  context. 

5.1  Traditional  Trust  Management  Systems 

In  traditional  trust  management  systems  [13,  14],  constructed  typ¬ 
ically  for  peer-to-peer  systems  or  e-commerce,  an  agent  A  has 
two  basic  ways  of  establishing  trusting  belief  in  another  agent  P: 
past  experiences  of  A  in  interactions  with  P  or  recommendation 
of  P  by  other  agents.  This  gives  rise  to  reputation  graphs  which 
are  used  by  traditional  trust  management  system  to  compute  trust 
metrics.  We  will  discuss  their  suitability  for  coalition  operations 
next. 

To  introduce  reputation  graphs,  it  convenient  to  use  a  simplified 
model  of  agent  interactions.  We  model  an  agent  P  as  a  binary 
hypothesis;  for  example,  the  agent  P  provides  either  ‘good’  or 
‘bad’  service.  In  Figure  1,  the  agent  P  has  direct  past  experience 
with  the  agent  P.  Agents  C  and  D  have  direct  past  experiences 
with  how  good  is  agent  P’s  opinion  of  other  agents.  Similarly,  the 
agent  B  has  direct  past  experience  with  how  good  are  agents  C’ s 
and  P’s  opinions  of  other  agents. 

Suppose  the  agent  A  wants  to  establish  trusting  belief  in  the 
agent  P.  Since  the  agent  A  does  not  have  any  direct  past  experi¬ 
ence  with  P,  it  can  send  a  query  to  the  trust  management  system 
(or  asks  P  itself),  and  discover  that  the  agent  E  has  direct  past 
experience  with  P.  However,  if  the  agent  E  sends  its  estimate 
of  P  directly  to  A,  then  this  estimate  alone  is  useless  for  A  since 
A  does  not  have  any  experience  in  how  good  a  recommendation 
from  E  is.  Thus  the  problem  of  finding  out  quality  of  agent  P 
reduces  to  the  problem  of  finding  out  how  good  P’s  recommenda¬ 
tion  is.  A  can  again  send  a  query  and  discover  that  C  and  D  have 
direct  experience  of  how  good  P’s  recommendation  is,  and  then 
the  problem  reduces  to  finding  out  how  good  P’s  and  P’s  recom¬ 
mendations  of  other  agents  are.  In  this  way,  the  trust  evaluation 
continues  recursively  along  all  paths  from  P  to  A. 

There  are  two  basic  operators  over  trust  metrics  that  form  the 
basis  of  the  procedure  given  above,  namely,  discounting  and  a 
consensus  operators  [8].  Suppose  A  has  a  belief  about  P’s  capa¬ 
bilities,  and  further  P  has  an  opinion  about  C.  From  these  two 
belief  functions,  one  would  like  to  derive  a  belief  function  which 

4As  commented  earlier,  we  can  ignore  the  subtle  distinction  between  trusting 
intension  and  trusting  behavior  for  the  purpose  of  this  paper. 


reflects  A’s  view  about  C  (via  B).  This  operation  is  called  dis¬ 
counting  and  is  denoted  by  ®;  for  example,  in  our  case,  Up®Up, 
where  u  represents  the  chosen  trust  metric5,  reflects  ,4’s  view  of 
C  formed  via  B. 

The  second  operator  is  required  to  derive  the  consensus  of  two 
possibly  conflicting  and  uncertain  opinions  that  reflects  both  opin¬ 
ions  in  a  fair  and  equal  way.  This  operator  is  called  the  consensus 
operator  and  is  denoted  by  ®.  For  example,  in  Figure  1,  B  has 
two  opinions,  one  from  C  and  another  from  I)  about  E;  and  in 
this  case,  Up  ®  Up.  represents  the  trust  metric  obtained  as  a  result 
of  taking  consensus  of  C  and  D's  opinion  of  E. 

Unfortunately,  the  discounting  operator  is  not  typically6 *  dis¬ 
tributive  over  the  consensus  operator.  In  Figure  1,  B  has  an  opin¬ 
ion  about  both  C  and  I).  and  C  and  1)  have  an  opinion  about  E, 
and  the  latter  in  turn  has  an  opinion  about  P.  There  are  two  pos¬ 
sible  ways  to  arrive  at  B’s  opinion  about  P.  First,  C  and  D  could 
compute  Up  =  Up  ®  c Op,  and  Up  =  Up  ®  Up,  respectively.  The 
agent  B  can  then  receive  opinons  of  C  and  D,  and  further  dis¬ 
count  it  to  compute  Up  ®  Up  ®  Up  and  Up  ®  Up  ®  Up.  Finally, 
B  can  use  consensus  operator  to  combine  these  opinions,  in  effect 
computing 

(wc  <8>  Up  ®  Up )  ®  (Up  ®  Up  <g)  Up)  (1) 

Note  that  the  calculation  above  can  be  carried  out  in  a  dis¬ 
tributed  fashion.  However,  the  resulting  trust  metric  is  not  ac¬ 
curate  since,  typically,  the  consensus  operator  ®  assumes  that 
its  operands  are  independent,  while  in  (1),  Up  occurs  in  both 
operands  of  the  consensus  operator. 

An  alternative  is  to  compute  the  more  accurate  expression 

{{up  ®  u p )  ®  ( Up  ®  w^))  ®  Up  (2) 

which  too  is  undesirable  since  it  cannot  be  computed  in  a  dis¬ 
tributed  manner,  and  as  a  result  incurs  computational  and  trans¬ 
mission  overhead. 

Most  of  the  prior  work  that  uses  peer-to-peer  architecture 
[14,  3,  13]  uses  (1),  or  a  variation  thereof,  to  compute  trust  met¬ 
rics.  However,  as  the  independence  assumption  does  not  hold, 
trust  metrics  computed  in  this  manner  cannot  be  assigned  a  pre¬ 
cise  meaning  [12],  Furthermore,  the  use  of  (1)  is  an  invitation 
to  several  attacks  such  as  free-riding,  pseudospoofing,  and  Sybil 
attacks.  This  is  to  be  contrasted  with  the  RS -model  of  minimum 
capacity  cut  measure,  where  many  of  these  problems  are  greatly 
alleviated. 

5.2  The  Reiter-Stubblebine  Model  and  Metric 

Reiter  Stubblebine  (RS-)  metric  [12]  operates  on  a  directed 
(acyclic)  graph.  Before,  we  go  into  the  details  of  the  model,  it 

5j0sang  [8]  proposes  using  a  trust  metric  that  consists  of  two  values  represent- 
ing  belief  and  uncertainty  in  belief.  Several  other  trust  metrics  have  been  proposed, 
e.g.,  in  [13,  14],  they  all  require  discounting  and  consensus  operators  to  combine 
two  trust  metrics  into  a  single  one. 

6  In  some  work  [13],  operators  are  defined  in  such  a  way  that  the  discounting 

operator  becomes  distributive  over  the  consensus  operator.  This  is  achieved  at  the 

cost  of  discarding  much  of  the  information  present  in  a  reputation  graph.  This,  we 

believe,  weakens  the  natural  protection  provided  by  distributed,  multiple  sources 
of  information  in  a  high  threat  environment  such  as  the  one  in  which  coalition 
partners  are  using  a  MANET. 


Figure  2:  The  Reiter-Stubblebine  Metric 


is  necessary  to  recall  a  few  concepts  from  the  Graph  Theory.  Sup¬ 
pose  G(V,  E )  is  a  directed  graph  with  a  source  vertex  s  and  a  sink 
vertex  t.  Suppose  each  edge  e  in  E  has  a  capacity  henceforth 
denoted  by  c(e). 

Definition  1  (Simple-Path  Flow)  A  simple -path  flow  f(sfl) 
consists  of  a  simple  path1  p(sfl)  in  G  that  starts  at  the  ver¬ 
tex  s  and  ends  at  the  vertex  t  and  has  a  flow  value  k  such  that 

k  ^  mineep(Sit)  c(e). 

Definition  2  (Flow)  A  flow  F(s,  t)  is  a  set  ofn  simple-path  flows 
f2(s,t), . . . ,  fn(s,t),  n  ^  1,  that  satisfy  the  following 
constraint  imposed  by  the  capacity  of  the  edges  in  graph  G: 

n 

y: Ie(fi)ki  ^  c(e)  flee  E 

i=  1 

where  ki  is  the  flow  value  of  fi,  and  Ie(fi)  —  1  if  the  simple  path 
corresponding  to  /,;  contains  e,  and  Ie(fi)  =  0  otherwise. 

The  flow  value  of  F(s,  t )  is  given  by  k  =  ki.  The  maxi¬ 

mum  possible  flow  value  of  a  flow  between  s  and  t  is  referred  to 
as  the  maximum  flow  between  s  and  t  on  the  graph  G. 

In  Reiter  and  Stubblebine  model,  nodes  in  the  graph  represent 
public  keys8,  and  the  edge  c(Ka,  Kb),  denoted  by  Ka—*Kb  for 
brevity,  exists  in  the  graph  if  the  user  is  in  possession  of  a  certifi¬ 
cate  that  assigns  attributes  (including  an  owner)  to  Kb,  and  whose 
signature  can  be  verified  using  Ka- 

Assume  that  the  ‘capacity’  of  an  edge  Ka~>Kb  represents  the 
amount9  for  which  the  owner  of  Ka  ‘insures’  the  attributes  and 
integrity  of  Kb-  In  other  words,  it  is  the  value  for  which  the  owner 
of  Ka  will  be  liable  to  the  user  if  the  attributes  bound  to  Kb  in 
the  certificate  are  incorrect,  or  if  the  private  key  (corresponding  to 
Kb)  is  used  to  mislead  the  user,  intentionally  or  otherwise.  It  is 
natural  to  assume  that  this  numeric  value  is  one  of  the  attributes 
included  in  the  certificate  that  the  edge  represents. 

1 A  simple  path  has  no  repeated  vertices. 

Considering  nodes  to  be  public  keys  explicitly  acknowledges  the  problem  of 
binding  a  particular  key  to  a  particular  owner. 

'The  unit  of  this  amount  is  left  unspecified  here  —  it  could  represent  risk  tokens 
as  suggested  by  the  Jason  report  [7],  however,  it  is  easier  to  think  in  term  of  hard 
currency. 


The  metric  is  best  described  using  the  example  in  Figure  2.  If 
the  attributes  bound  to  KT  (the  target  public  key)  turn  out  to  be 
false,  the  owners  of  K />,  Kb,  and  Ke  are  each  liable  to  the  user 
for  the  amount  up  to  200,  600,  and  100  respectively.  It  is  also 
possible  that  when  the  user  goes,  say,  to  the  owner  of  Kb,  the 
owner  (or  its  attributes  as  certified)  turns  out  to  be  delinquent,  and 
hence  the  user  now  is  owed  by  owners  of  K,\  and  K(:,  for  the 
amount  of  up  to  100  each.  Assuming  that  the  owner  of  Kg  is 
fully  trusted,  using  the  above  reasoning  iteratively,  a  simple -path 
flow  /  from  Kg  to  Kt  with  a  flow  value  of  k  can  be  used  to 
insure  an  amount  of  k.  This  follows  by  definition  since  the  issuer 
of  a  certificate  is  responsible  for  an  amount  up  to  the  ‘capacity’ 
indicated  in  the  certificate;  and  the  capacity  of  each  edge  on  a 
simple-path  flow  is  at  least  k  providing  the  user  a  guarantee  of 
recovery  up  to  the  amount  k. 

By  extending  this  logic  further,  a  flow  F  between  Kg  and  Kt 
with  flow  value  k  can  be  used  to  insure  the  amount  k;  and  the 
maximum  flow  between  Kg  and  Kt  is  the  maximum  amount  that 
can  be  insured  using  the  graph  G.  By  using  the  Ford-Fulkerson 
algorithm,  the  maximum  flow  can  be  computed  efficiently,  and  as 
shown  in  their  famous  result,  it  equals  to  the  value  of  the  minimum 
capacity  cut  in  the  graph.  For  example,  in  Figure  2,  the  minimum 
cut  as  shown  has  value  500,  and  that  is  the  maximum  value  that 
can  be  insured  using  this  graph. 

Some  of  the  salient  qualities  of  this  metric  and  model  (follow¬ 
ing  the  principles  enunciated  in  [12])  are  as  follows:(a)  the  user  is 
not  required  to  ascertain  name  to  key  bindings  to  construct  the 
model,  except  for  the  root  CA,  whose  name  to  key  binding  is 
reputed,  (b)  the  final  metric  computed  is  intuitive,  (c)  the  final 
metric  lets  the  user  ascertain  the  risk  involved  in  using  Kt,  (d) 
the  final  metric  is  computed  easily  using  the  Ford-Fulkerson  algo¬ 
rithm  [5,  10],  (e)  the  metric  can  be  computed  with  partial  informa¬ 
tion,  and  still  give  meaningful  results,  and  (f)  the  insurance  metric 
allows  the  user  to  be  protected  from  dependencies  in  the  graph, 
whether  they  are  unintentional  or  malicious. 

The  last  point  is  worth  an  extra  emphasis.  Unintentional  or  ma¬ 
licious  dependencies  in  the  reputation  graph  are  at  the  root  of  the 
problems  with  traditional  trust  metrics  discussed  in  the  earlier  sec¬ 
tion.  RS  metric  has  no  such  dependencies  as  the  issuer  of  a  cer¬ 
tificate  is  ultimately  responsible  for  its  use. 

6  The  New  Model  and  Metric 

While  the  RS -model  is  attractive,  it  is  not  directly  applicable  to 
the  coalition  scenario.  Towards  that,  our  proposal  is  to  include 
two  enhancements  to  the  RS-model.  First,  the  RS-model  assumes 
a  setting  where  all  transactions  between  coalition  partners  can  be 
‘monetized’.  As  discussed  in  Section  4,  in  a  joint  mission,  coali¬ 
tion  partners  rely  on  each  other  for  providing  heterogeneous,  in¬ 
comparable  resources,  or  services,  that  cannot  be  compared  with 
each  other.  Therefore,  instead  of  assigning  a  single  ‘capacity’  to 
each  edge,  we  need  to  annotate  each  edge  with  a  vector  ‘capacity’ 
label  so  that  the  i-th  coordinate  of  the  capacity  vector  represents 
the  amount  of  the  i-th  resource  vouched  by  the  party  issuing  the 
certificate.  Second,  it  is  natural  that  each  agent  issuing  a  certifi¬ 
cate  to  another  agent  would  compute  a  probability  of  certificate 
misuse.  If  this  probability  is  included  in  the  certificates,  then  it 
can  be  used  to  estimate  risk;  for  example,  it  can  be  used  to  cal¬ 


culate  the  probability  that  for  a  given  mission,  the  owner  of  Kg, 
would  have  to  pitch  in  the  resources  or  provide  the  service  due  to 
the  failure  of  other  agents.  In  the  following,  we  discuss  these  two 
enhancements  in  more  detail,  but  before  that,  we  need  to  extend 
some  graph-theoretic  results  presented  in  the  previous  section. 

Suppose  G(V,  E)  is  a  directed  graph  with  a  source  vertex  s  and 
a  sink  vertex  t.  Suppose  every  edge  e  in  E  has  an  m-dimensional 
capacity  label  (c1(e),  c2(e), . . . ,  cm(e))  with  c*(e)  being  the  ca¬ 
pacity  of  the  edge  e  for  resource  II; .  We  will  refer  to  a  graph  of 
this  type  as  a  multi-resource  graph. 

Definition  3  (Multi-Resrouce  Simple-Path  Flow)  A  simple- 

path  flow  f(s,  t )  consists  of  a  simple  path  p(s,  t)  in  G  that  starts 
at  the  vertex  s  and  ends  at  the  vertex  t,  and  has  a  flow  value 
k  =  (£r,  k2, . . . ,  km)  such  that  k 1  ^  mine6p(s  t)  c1(e),  k2  ^ 
mine6ps(M)  c2(e), . . . ,  km  <  mineeps(s>t)  cm(e). 

Definition  4  (Multi-Resource  Flow)  A  flow  F(s,  t)  is  a  set  of  n 

simple-path  flows  fi(s,  t),  f2{s,  t), . . . ,  /ra(s,  t),  n  ^  1  that  sat¬ 
isfy  the  following  constraint  imposed  by  the  capacity  of  edges  in 
the  graph  G: 


y  Ie{fi )kf  ^  c?(e)  We  e  E,  1  <  j  <  m 

i= 1 


where  ki  is  the  flow  value  of  ffls,  t),  and  Ie(fi)  =  1  if  the  simple 
path  corresponding  to  fi  contains  e,  and  Ie(fi)  =  0,  otherwise. 

The  flow  value  of  F(s,  t)  is  given  by  k  =  X]"=i  = 

(V"  k1  k2  V"  k"‘  \ 

tzLa=l  i  Z-,i= 1  N  >  •  •  •  5  1  'W  )■ 


Since  the  value  of  a  flow  in  this  case  is  multi-dimensional,  it 
is  not  straightforward  to  define  the  notion  of  maximum  flow  on 
a  graph  as  the  flow  values  cannot  be  totally  ordered.  For  two 
flows  F\  and  F2  with  flow  values  k\  and  k2,  we  say  F\  has  more 
flow  than  F2,  F\  ^  F2,  if  (k\  ^  k\,k2  ^  k2, ... ,  k\n  ^  kJf  ). 
Keeping  with  the  intuition  of  the  previous  section  and  generaliz¬ 
ing  the  notion  of  maximum  flow,  we  want  to  find  a  set  of  flows 
{Fi,  F2, . . . ,  Fi}  such  that  F-t  ,  F2, . . . ,  F/  cannot  be  compared  to 
each  other,  and  for  any  other  flow  Fr,  there  is  a  flow  Fj,  for  some 
j  £  {1,2,...,/},  that  has  more  flow  than  Fr.  It  turns  out  that  for 
any  graph,  this  can  be  accomplished  by  a  single  flow,  that  is  /  =  1 
and  there  exists  a  single  flow  Fmax  such  that  for  any  other  flow 
Fr  on  the  graph,  Fmax  f  Fr. 

Theorem  1  Given  a  multi-resource  graph  G  with  a  source  s  and 
a  sink  t,  there  exists  a  single  flow  Fmax  such  that  for  any  other 
flow  Fr,Fmax  f  Fr. 

Proof:  Consider  a  flow  F:l  that  maximizes  the  flow  of  resource 
Rj  and  has  zero  flow  for  all  other  resources.  This  flow  can  be 
computed  by  considering  only  the  y-th  component  of  the  capac¬ 
ity  labels  and  using  the  Ford-Fulkerson  algorithm  on  the  resulting 
graph.  Denote  the  set  of  simple -path  flows  that  constitute  F 2  by 
AT  Let  k2  (f)  denote  the  y-th  component  of  the  flow  value  of 
a  simple -path  flow  /,  and  by  slight  abuse  of  notation  let  k2(F) 
denote  the  the  y-th  component  of  the  flow  value  of  a  flow  F. 


Figure  3:  The  New  Metric 


Now  consider  the  set  of  simple-path  flows  A  =  U™;1AJ  .  A  is  a 
flow  since  it  satisfies  the  required  capacity  constraint: 

YJW)kj{f)=YJW)k\f)  (3) 

/e  A  /e  Aj 

=  k\F)  (4) 

<  c’(e)  Ve  e  -E,  1  <  j  <  m  (5) 

where  (3)  follows  since  only  the  simple -path  flows  in  have 

non-zero  flow  of  Rj,  and  (4)  and  (5)  follow  from  the  definition  of 
a  multi-resource  flow  as  given  above. 

Clearly,  any  other  flow  has  less  flow  value  than  A  since  its  flow 
value  is  (fc1( F 1),  k2(F2), . . . ,  km(Fm ))  which,  by  construction, 
is  maximum  possible  value  in  each  dimension  for  the  given  graph. 
□ 

With  these  definitions  and  result  in  place,  we  are  ready  to  de¬ 
scribe  the  proposed  enhancement  to  the  RS  model. 

6.1  Protocol 

On  the  surface,  the  protocol  is  relatively  simple — a  coalition  part¬ 
ner  A  who  wants  to  vouch  for  the  capacity  of  another  coalition 
partner  B  to  provide  resources  R\ ,  Ri , . . . ,  Rm  issues  a  certifi¬ 
cate  that  includes  the  maximum  amount  of  vouched  resources 
c(Ka,Kb)  =  {c1(KA,KB),c1(KAlKB),...,cm(KA,KB)). 
As  usual,  we  will  omit  arguments,  KA,  KB,  when  they  are  clear 
from  the  context.  These  certificates  may  be  chained  leading  to  a 
directed  acyclic10  graph:  the  nodes  in  this  graph  are  public  keys  of 
the  participating  entities,  and  an  edge  KA—>KB  exists  in  the  graph 
if  the  user  is  in  possession  of  a  certificate  that  assigns  resource- 
capacity  attributes  (and  exclusive  owner(s))  to  KB,  and  whose 
signature  can  be  verified  using  KA.  Inclusion  of  the  capacity  at¬ 
tributes  for  various  resources  in  a  certificate  KA—>KB  amounts 
to  a  guarantee  by  A  that  should  the  capacity  attributes  bounds  in 
the  certificate  are  found  to  be  incorrect,  or  if  the  private  key  (cor¬ 
responding  to  Kb)  is  used  to  mislead  the  user,  intentionally  or 
otherwise,  then  A  will  instead  provide  the  resource  Ri  to  the  user 
up  to  the  amount  c*. 

The  certificate  corresponding  to  an  edge  KA—>KB  may  include 
other  qualifying  attributes.  A  simple  example  will  be  time  dura- 

10Without  any  loss  of  generality  we  can  assume  that  the  graph  is  acyclic. 


tion  for  which  the  certificate  is  valid.  Here  we  will  focus  on  the 
probability  p(KA ,  I\B)  that  the  issuer  A  of  a  certificate  KA-^KB 
computes  that  B,  the  owner  of  KB,  will  be  able  to  fulfil  its  obliga¬ 
tions  as  specified  by  the  attributes  in  the  certificate.  Essentially,  p 
represents  A’s  trust  in  certain  capabilities  of  B.  How  A  computes 
or  estimates  this  trust  is  left  unspecified;  it  is  assumed  that  each 
coalition  partner  will  have  its  own  methodology  to  assess  trust. 
This  is  one  of  the  key  features  of  the  proposed  model  that  it  does 
not  require  coalition  partners  to  use  compatible  trust  management 
systems.  We  will  come  back  to  this  issue  and  elaborate  it  further. 

Assume  that  a  coalition  partner  X  wishes  to  conduct  a  mission 
M  in  collaboration  with  a  coalition  partner  T,  and  it  relies  on  T 
to  provide  Ml  units  of  resource  II,.  Reliance  on  T  to  provide 
resources  represents  an  inherent  risk  from  the  perspective  of  X 
since  T  may  fail.  In  order  to  estimate  this  risk,  either  X  can  rely 
on  its  direct  past  experience  with  T,  or  acquire  trust  in  T  oth¬ 
erwise.  The  proposed  model  of  certificate  chains  is  one  way  to 
acquire  or  augment  trust  for  coalition  partners. 

For  instance.  Figure  3  shows  a  graph  that  includes  a  probabil¬ 
ity  (trust  value  of  certified  party  according  to  certifying  party)  and 
a  capacity  on  each  edge.  For  simplicity,  we  will  only  consider 
one  resource  R\  at  this  time.  Certificates  in  the  certificate  chain 
Ks~>Ka—>Kb^>Kt  vouch  for  the  capability  of  the  certified  par¬ 
ties  to  provide  104,  100,  600  units  of  resource  i?i,  respectively. 
Therefore  if  a  coalition  partner  X  has  absolute  trust  in  S  to  honor 
its  obligations,  it  can  use  this  certificate  chain  to  obtain  100  units 
of  resource  R\.  Should  T  fail  to  provide  the  resources,  X  would 
be  able  to  rely  on  certificate  Kb—>Kt  and  ask  B  to  fulfil  the 
demand  for  100  units  of  resources  R\.  According  to  B,  the  prob¬ 
ability  of  this  scenario  unfolding  is  (1  —  0.99)  =  0.01.  In  case, 
B  also  fails  (according  to  A,  the  probability  of  B  failing  is  0.02), 
X  has  to  go  to  A;  and  in  case,  A  fails,  X  would  have  to  go  to  S 
and  ask  for  resources.  Specifics  of  risk  calculation  will  depend  on 
the  specifics  of  the  scenario — a  risk  analysis  will  take  into  account 
various  probability  of  failures;  it  may  also  take  into  account  addi¬ 
tional  burden  incurred  by  X  in  contacting  B,  A,  and  S,  should  it 
become  necessary. 

The  situation  gets  more  interesting  when  we  consider  multiple 
simple  paths  from  S  to  the  target  entity  T.  As  an  example,  again 
consider  Figure  3.  Any  simple  path  Pi  from  S  to  T  can  be  treated 
as  a  certificate  chain,  and  the  minimum  value  of  c  on  Pt,  denoted 
c, ,  is  the  limit  on  the  amount  of  R  \  in  a  mission  planning  that  uses 
the  path  P,  .  For  instance,  as  computed  above,  using  the  middle 
path  Kb,  Ka,  Kb,  Kt,  the  maximum  value  is  100,  while  using 
the  top  path  R'c-  KB,  A'r,  the  maximum  value  is  200.  Now, 
if  a  user  is  interested  in  only  100  units  of  H  \  from  T,  then  it  could 
go  ahead  based  on  any  of  these  paths.  On  the  other  hand,  if  the 
user  is  interested  in  300  units  of  R±,  the  first  200  can  be  filled 
using  the  top  path  and  the  remaining  100  filled  using  the  middle 
path  (or  some  other  path). 

In  general,  the  total  amount  of  R\  that  can  be  reliably  obtained 
from  T  (assuming  S  is  completely  trusted  to  fulfil  its  obligations) 
equals  the  maximum  flow  in  the  graph  (using  the  c  labels).  Gen¬ 
eralizing  further,  by  Theorem  1,  if  S'  can  be  fully  trusted  to  fulfil 
its  obligations,  then  T  can  be  relied  to  provide  resources  up  to  the 
flow  value  of  maximum  flow  Fmax  computed  on  graph  G.  By 
Theorem  1,  the  maximum  value  for  resource  Ri  can  be  computed 


by  considering  only  the  i-th  component  of  the  capacity  labels.  If 
each  certificate  also  includes  trust  values,  then  X  can  also  con¬ 
duct  a  more  thorough  risk  analysis  on  relying  on  T  to  provide  re¬ 
sources.  The  risk  computed  will  depend  on  X’s  own  assumptions 
of  trustworthiness  of  other  parties,  and  how  its  risk  framework 
combines  these  trust  values  to  compute  risk. 

We  note  that  the  system  allows  for  a  natural  feedback  mecha¬ 
nism.  In  case  of  a  good  ‘transaction’  between  T  and  X ,  T  would 
want  to  provide  evidence  to  the  parties  that  certified  it  which 
would  then  propagate  this  evidence  up  the  certificate  chain.  On 
the  other  hand,  in  case  of  a  bad  transaction,  X  has  incentive  to  no¬ 
tify  parties  up  in  the  certificate  chain.  In  this  way,  for  both  good 
or  bad  transaction,  a  certificate  issuing  party  will  receive  a  feed¬ 
back  that  can  be  used  to  refine  trust  values  in  the  later  rounds. 
Note  that  the  auditing  and  reporting  mechanism  may  not  work  on 
a  transaction  by  transaction  basis,  but  may  rely  on  batch  process¬ 
ing,  in  which  case,  there  will  be  a  delay  incurred  in  the  feedback 
mechanism.  However,  such  delays  are  manageable  in  a  trust  man¬ 
agement  systems  as  shown  by  Srivatsa  et  al.  [2], 

7  Discussion 

Let  us  examine  some  potential  implications  of  our  proposal.  Our 
model  requires  that  if  there  is  an  edge  in  the  reputation  graph  from 
K  ,\  to  Kb  labeled  with  capacity  c  for  resource  R,  then  the  owner 
of  the  public  key  KA  is  responsible  for  provide  up  to  c  units  of 
the  resource  R  if  B  fails.  This  liability  raises  the  question  of  mo¬ 
tivation  on  behalf  of  certifying  parties.  We  note  that  this  question 
is  not  unique  to  our  proposal,  it  is  a  question  for  all  trust  manage¬ 
ment  systems.  In  traditional  trust  management  systems  [13,  14] 
vouching  false  or  misleading  attributes  to  other  parties  incurs  no 
direct  penalty,  and  as  a  consequence,  these  systems  suffer  from  a 
number  of  attacks.  Our  system  avoids  this  problem  by  holding  the 
certifying  party  directly  responsible  for  its  certificates. 

Our  proposal  naturally  provides  separation  of  a  multitude  of 
concerns.  In  our  proposal,  a  coalition  partner  that  vouches  for 
another  are  not  assumed  to  be  next  neighbors  on  a  MANET.  In 
contrast  to  traditional  proposals  [3,  13],  our  proposal  does  not  re¬ 
quire  that  agents  who  are  competent  in  MANET  communication 
also  be  competent  in  providing  recommendations.  The  proposal 
separates  communication  protocol  issues  from  trust  related  issues. 

Another  benefit  of  our  proposal  is  that  the  input  provided  by  a 
malicious  node  to  the  trust  management  system  does  not  get  in¬ 
termixed  with  input  provided  by  other  nodes.  In  fact,  all  trust 
values  and  capabilities  are  included  in  certificates  that  remain  sep¬ 
arate  from  each  other.  Only  when  needed  these  certificates  are  ex¬ 
changed  between  partners  to  allow  risk  analysis.  If  due  to  privacy 
or  secrecy  reasons,  a  coalition  partner  does  not  want  to  reveal  its 
certificate  chains,  then  it  can  enter  in  a  trust  negotiation  with  an¬ 
other  partner  and  provide  these  certificate  chains  piecemeal  until 
the  risk  is  sufficiently  mitigated  to  conduct  a  mission. 

In  our  proposal,  agents  need  not  be  homogenous,  they  need  not 
to  use  the  same  or  similar  criterion  to  evaluate  trust  in  others.  The 
proposed  model  is  a  hybrid  where  trust  is  manifested  in  two  forms: 
a  more  traditional  non-binding  trust  that  is  expressed  as  a  single 
value  between  zero  and  one,  and  a  trust  that  requires  trusting  agent 
to  take  explicit  responsibility  of  the  trustee’s  actions.  We  believe 
this  provides  a  better  compromise  and  accommodation  of  different 


types  and  degrees  of  trust. 
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